Last night I created a jail and installed the software I’ll need. Most of this was done via Ansible. I also configured Bacula both on the server and in the jail. Tonight, I’ll be configuring the host so the jail can see and use the tape library. By default, such devices are not available from within a FreeBSD jail.

Warner Losh gave me some commands to try out on the host, while running the command in the jail. We tracked it down to … kern.securelevel.

It seems I checked kern.securelevel on bacula-sd-01, but the server in question was bacula-sd-02.

Doh.

What?

Yeah, I was asked twice about kern.securelevel. Both times I reported the original failure. If it helps, when I was asked the second time, the server was offline because it was mid-way through moving it in the rack.

Adjusting the host – and doing it correctly

Here is what I used in /etc/devfs.rules on the jail host so that the jail could view the tape library:

You’ll see bacula.unixathome.org specified in the TLS Allowed CN clause above. The CN (bacula.unixathome.org) differs from the hostname (bacula.int.unixathome.org) upon which bacula-dir runs. Don’t let that distract you. Generally though, the hostname and the CN (Common Name) within the certificate match.

Upgrade later

After the above work was completed, all bacula-dir and bacula-sd were upgraded from 7.4.7 to 9.0.6 (NOTE: you must keep all bacula-sd and bacula-dir on the same version. Always. bacula-fd can be the same version [as bacula-dir/bacula-sd] or older; it can never be newer).